Introduction    

The Centrify for Splunk Integration Guide is written to assist Centrify Privileged Access Service customers with the task of easily integrating event data in Centrify PAS with Splunk. You can leverage the Centrify Add-on for Splunk to normalize Centrify events in Splunk.

This integration guide applies to the following Splunk versions and Centrify PAS releases:

 

Splunk Versions

CentrifyPrivileged Access Service Releases

6.5.x

2016

 

6.6.x.

7.0.0

2016.1

2016.2

2017

2017.1

2017.2

2017.3

 

8.0

2020.2

 

8.1+

2020.6

 

Splunk Components

The following diagram illustrates the Splunk components that interact with the Centrify Add-on for Splunk:


Centrify Add-on for Splunk

Add-ons are used in Splunk for data onboarding and parsing. The parsed events can be used for ad-hoc queries or to create visualizations. This Add-on can co-exist with other Splunk Add-ons without conflicts.

The Centrify Add-on for Splunk contains:

  • Data inputs for Windows and Unix Centrify agents (disabled by default)

  • A Parser to extract all of the Centrify event fields

  • Event types to categorize Centrify event categories such as Centrify Configuration, Direct Authorize – Windows, and so on

  • Tags so that Centrify authentication data complies with the Splunk Common Information Model (CIM)

Centrify App for Splunk

In general, the apps used in Splunk are mainly those for data visualization such as dashboards and report alerts.

The apps contain:

  • Sample Centrify dashboards

  • Sample weekly reports

  • Sample alerts